inline_svg 1.7.1 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 923ca3f0952247f48b3346decfe83b44216566a52a2f2bf4a9ba117a2626712b
-  data.tar.gz: afef4e221a4e7becce12338289eafe79b60138bd2706ec76a51229a588fe8e5d
+  metadata.gz: 23a2c45f1e25e4266196f0e2fc23a4384cb8513be840d2b676ae848b5be1d121
+  data.tar.gz: 8fdb1090f9037ed6c732469ffda28023e200d758533223d4bd9c85b5a20cfb72
 SHA512:
-  metadata.gz: 72bc4f1be354aa23bda0bb62814d194568691b9833e21b8da89594eea213f5ce6fc523ea60c04f19a7e23e546826c98a35ba6cf812579162c70bc6a0905c5d09
-  data.tar.gz: c0db9494ac8b67ad61c2dfa38f8b6bb64dad204bbf1978cc86f58600d71ee10f977a38ae74b69b7212293f31eec7ebec183c3c90e14aa274605ebe3972626ec7
+  metadata.gz: c3d98f05ba0b9ea222d1b852f87f30584ba4b775d7b6848a2366341e5e85bb6c9912bc1f8441117d129db4d63506d54dcd8ef4d633a5140359e25f5a829a8a1c
+  data.tar.gz: 45eb7d5c8a30f0814e9c775924690825ad3b3ee9c3ada3c9694bf3af46499ababaa1ba81f696514e08dc09aa5ae6520094820fc528ee34fbb307b856dc16b3f4

data/.github/workflows/integration_test.yml

@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        test-branch: [rails3, rails4, master, rails6, rails6-webpacker]
+        test-branch: [rails5, rails6, rails7]
     steps:
     - name: Checkout
       uses: actions/checkout@v2
@@ -18,10 +18,10 @@ jobs:
         repository: jamesmartin/inline_svg_test_app
         ref: ${{ matrix.test-branch }}
         path: test_app
-    - name: Set up Ruby 2.6
+    - name: Set up Ruby 2.7
       uses: actions/setup-ruby@v1
       with:
-        ruby-version: 2.6.x
+        ruby-version: 2.7.x
     - name: Build local gem
       run: |
         gem install bundler
@@ -41,17 +41,6 @@ jobs:
       run: |
         cd $GITHUB_WORKSPACE/test_app
         bundle install --jobs 4 --retry 3
-    - name: Set up Node.js 12.x
-      uses: actions/setup-node@v1
-      with:
-        node-version: 12.x
-      if: matrix.test-branch == 'rails6-webpacker'
-    - name: Generate Webpacker config
-      run: |
-        cd $GITHUB_WORKSPACE/test_app
-        yarn install --check-files
-        bundle exec rake webpacker:compile
-      if: matrix.test-branch == 'rails6-webpacker'
     - name: Test
       run: |
         cd $GITHUB_WORKSPACE/test_app

data/.github/workflows/rails_6_webpacker_integration_tests.yaml

@@ -0,0 +1,58 @@
+name: Rails 6 Webpacker Integration Tests (unreliable)
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        test-branch: [rails6-webpacker]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+    - name: Checkout test app
+      uses: actions/checkout@v2
+      with:
+        repository: jamesmartin/inline_svg_test_app
+        ref: ${{ matrix.test-branch }}
+        path: test_app
+    - name: Set up Ruby 2.7
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.7.x
+    - name: Build local gem
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rake build
+    - name: Use the local gem in the test App
+      id: uselocalgem
+      uses: jacobtomlinson/gha-find-replace@0.1.1
+      with:
+        find: "gem 'inline_svg'"
+        replace: "gem 'inline_svg', path: '${{github.workspace}}'"
+    - name: Check local gem in use
+      run: |
+        test "${{ steps.uselocalgem.outputs.modifiedFiles }}" != "0"
+        grep "inline_svg" $GITHUB_WORKSPACE/test_app/Gemfile
+    - name: Bundle
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle install --jobs 4 --retry 3
+    - name: Set up Node.js 16.x
+      uses: actions/setup-node@v2
+      with:
+        node-version: 16
+      if: matrix.test-branch == 'rails6-webpacker'
+    - name: Generate Webpacker config
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        yarn install --check-files
+        bundle exec rake webpacker:compile
+      if: matrix.test-branch == 'rails6-webpacker'
+    - name: Test
+      run: |
+        cd $GITHUB_WORKSPACE/test_app
+        bundle exec rake test

data/CHANGELOG.md

@@ -4,7 +4,18 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased][unreleased]
 
-- Nothing
+Nothing.
+
+## [1.8.0] - 2022-01-09
+### Added
+- Remove deprecation warning for `inline_svg`, as we intend to keep it in 2.0. [#131](https://github.com/jamesmartin/inline_svg/pull/131). Thanks [@DanielJackson-Oslo](https://github.com/DanielJackson-Oslo)
+- Add support for Webpacker 6 beta. [#129](https://github.com/jamesmartin/inline_svg/pull/129). Thanks [@Intrepidd](https://github.com/Intrepidd) and [@tessi](https://github.com/tessi)
+- Add support for Propshaft assets in Rails 7. [#134](https://github.com/jamesmartin/inline_svg/pull/134). Thanks, [@martinzamuner](https://github.com/martinzamuner)
+
+## [1.7.2] - 2020-12-07
+### Fixed
+- Improve performance of `CachedAssetFile`. [#118](https://github.com/jamesmartin/inline_svg/pull/118). Thanks [@stevendaniels](https://github.com/stevendaniels)
+- Avoid XSS by preventing malicious input of filenames. [#117](https://github.com/jamesmartin/inline_svg/pull/117). Thanks [@pbyrne](https://github.com/pbyrne).
 
 ## [1.7.1] - 2020-03-17
 ### Fixed
@@ -18,7 +29,6 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 - Using Webpacker and Asset Pipeline in a single App could result in SVGs not being found because the wrong `AssetFinder` was used. [#114](https://github.com/jamesmartin/inline_svg/pull/114). Thanks, [@kylefox](https://github.com/kylefox)
 - Prevent "EOFError error" when using webpack dev server over HTTPS [#113](https://github.com/jamesmartin/inline_svg/pull/113). Thanks, [@kylefox](https://github.com/kylefox)
 
-
 ## [1.6.0] - 2019-11-13
 ### Added
 - Support Webpack via the new `inline_svg_pack_tag` helper and deprecate `inline_svg` helper in preparation for v2.0.
@@ -234,7 +244,9 @@ transformations](https://github.com/jamesmartin/inline_svg/blob/master/README.md
 ### Added
 - Basic Railtie and view helper to inline SVG documents to Rails views.
 
-[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...HEAD
+[unreleased]: https://github.com/jamesmartin/inline_svg/compare/v1.8.0...HEAD
+[1.8.0]: https://github.com/jamesmartin/inline_svg/compare/v1.7.2...v1.8.0
+[1.7.2]: https://github.com/jamesmartin/inline_svg/compare/v1.7.1...v1.7.2
 [1.7.1]: https://github.com/jamesmartin/inline_svg/compare/v1.7.0...v1.7.1
 [1.7.0]: https://github.com/jamesmartin/inline_svg/compare/v1.6.0...v1.7.0
 [1.6.0]: https://github.com/jamesmartin/inline_svg/compare/v1.5.2...v1.6.0

data/README.md

@@ -12,10 +12,11 @@ then embeds it into a view.
 
 Inline SVG supports:
 
-- [Rails 3](http://weblog.rubyonrails.org/2010/8/29/rails-3-0-it-s-done/) (from [v0.12.0](https://github.com/jamesmartin/inline_svg/releases/tag/v0.12.0))
-- [Rails 4](http://weblog.rubyonrails.org/2013/6/25/Rails-4-0-final/)
 - [Rails 5](http://weblog.rubyonrails.org/2016/6/30/Rails-5-0-final/) (from [v0.10.0](https://github.com/jamesmartin/inline_svg/releases/tag/v0.10.0))
 - [Rails 6](https://weblog.rubyonrails.org/2019/4/24/Rails-6-0-rc1-released/) with Sprockets or Webpacker (from [v1.5.2](https://github.com/jamesmartin/inline_svg/releases/tag/v1.5.2)).
+- [Rails 7](https://weblog.rubyonrails.org/2021/12/6/Rails-7-0-rc-1-released/) (experimental)
+
+Inline SVG no longer officially supports Rails 3 or Rails 4 (although they may still work). In order to reduce the maintenance cost of this project we now follow the [Rails Maintenance Policy](https://guides.rubyonrails.org/maintenance_policy.html).
 
 ## Changelog
 
@@ -98,6 +99,7 @@ key                     | description
 `preserve_aspect_ratio` | adds a `preserveAspectRatio` attribute to the SVG
 `aria`                  | adds common accessibility attributes to the SVG (see [PR #34](https://github.com/jamesmartin/inline_svg/pull/34#issue-152062674) for details)
 `aria_hidden`           | adds the `aria-hidden=true` attribute to the SVG
+`fallback`              | set fallback SVG document
 
 Example:
 
@@ -113,7 +115,8 @@ inline_svg_tag(
   nocomment: true,
   preserve_aspect_ratio: 'xMaxYMax meet',
   aria: true,
-  aria_hidden: true
+  aria_hidden: true,
+  fallback: 'fallback-document.svg'
 )
 ```
 

data/lib/inline_svg/action_view/helpers.rb

@@ -17,15 +17,20 @@ module InlineSvg
       end
 
       def inline_svg(filename, transform_params={})
-        ActiveSupport::Deprecation.warn(
-          '`inline_svg` is deprecated and will be removed from inline_svg 2.0 (use `inline_svg_tag` or `inline_svg_pack_tag` instead)'
-        )
-
         render_inline_svg(filename, transform_params)
       end
 
       private
 
+      def backwards_compatible_html_escape(filename)
+        # html_escape_once was introduced in newer versions of Rails.
+        if ERB::Util.respond_to?(:html_escape_once)
+          ERB::Util.html_escape_once(filename)
+        else
+          ERB::Util.html_escape(filename)
+        end
+      end
+
       def render_inline_svg(filename, transform_params={})
         begin
           svg_file = read_svg(filename)
@@ -55,7 +60,7 @@ module InlineSvg
 
       def placeholder(filename)
         css_class = InlineSvg.configuration.svg_not_found_css_class
-        not_found_message = "'#{filename}' #{extension_hint(filename)}"
+        not_found_message = "'#{backwards_compatible_html_escape(filename)}' #{extension_hint(filename)}"
 
         if css_class.nil?
           return "<svg><!-- SVG file not found: #{not_found_message}--></svg>".html_safe

data/lib/inline_svg/cached_asset_file.rb

@@ -18,6 +18,7 @@ module InlineSvg
       @paths = Array(paths).compact.map { |p| Pathname.new(p) }
       @filters = Array(filters).map { |f| Regexp.new(f) }
       @assets = @paths.reduce({}) { |assets, p| assets.merge(read_assets(assets, p)) }
+      @sorted_asset_keys = assets.keys.sort { |a, b| a.size <=> b.size }
     end
 
     # Public: Finds the named asset and returns the contents as a string.
@@ -39,17 +40,7 @@ module InlineSvg
     # Returns a String representing the key for the named asset or nil if there
     # is no match.
     def key_for_asset(asset_name)
-      match = all_keys_matching(asset_name).sort do |a, b|
-        a.string.size <=> b.string.size
-      end.first
-      match && match.string
-    end
-
-    # Internal: Find all potential asset keys matching the given asset name.
-    #
-    # Returns an array of MatchData objects for keys matching the asset name.
-    def all_keys_matching(asset_name)
-      assets.keys.map { |k| /(#{asset_name})/.match(k.to_s) }.compact
+      @sorted_asset_keys.find { |k| k.include?(asset_name) }
     end
 
     # Internal: Recursively descends through current_paths reading each file it

data/lib/inline_svg/propshaft_asset_finder.rb

@@ -0,0 +1,15 @@
+module InlineSvg
+  class PropshaftAssetFinder
+    def self.find_asset(filename)
+      new(filename)
+    end
+
+    def initialize(filename)
+      @filename = filename
+    end
+
+    def pathname
+      ::Rails.application.assets.load_path.find(@filename).path
+    end
+  end
+end

data/lib/inline_svg/version.rb

@@ -1,3 +1,3 @@
 module InlineSvg
-  VERSION = "1.7.1"
+  VERSION = "1.8.0"
 end

data/lib/inline_svg/webpack_asset_finder.rb

@@ -6,7 +6,7 @@ module InlineSvg
 
     def initialize(filename)
       @filename = filename
-      @asset_path = Webpacker.manifest.lookup(@filename)
+      @asset_path = URI(Webpacker.manifest.lookup(@filename)).path
     end
 
     def pathname

data/lib/inline_svg.rb

@@ -3,6 +3,7 @@ require "inline_svg/action_view/helpers"
 require "inline_svg/asset_file"
 require "inline_svg/cached_asset_file"
 require "inline_svg/finds_asset_paths"
+require "inline_svg/propshaft_asset_finder"
 require "inline_svg/static_asset_finder"
 require "inline_svg/webpack_asset_finder"
 require "inline_svg/transform_pipeline"
@@ -41,6 +42,8 @@ module InlineSvg
     def asset_finder=(finder)
       @asset_finder = if finder.respond_to?(:find_asset)
                         finder
+                      elsif finder.class.name == "Propshaft::Assembly"
+                        InlineSvg::PropshaftAssetFinder
                       else
                         # fallback to a naive static asset finder
                         # (sprokects >= 3.0 && config.assets.precompile = false

data/spec/finds_asset_paths_spec.rb

@@ -45,4 +45,49 @@ describe InlineSvg::FindsAssetPaths do
       expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to be_nil
     end
   end
+
+  context "when propshaft finder returns an object which supports only the pathname method" do
+    it "returns fully qualified file paths from Propshaft" do
+      propshaft = double('PropshaftDouble')
+
+      expect(propshaft).to receive(:find_asset).with('some-file').
+        and_return(double(pathname: Pathname('/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = propshaft
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('/full/path/to/some-file')
+    end
+  end
+
+  context "when webpack finder returns an object with a relative asset path" do
+    it "returns the fully qualified file path" do
+      webpacker = double('WebpackerDouble')
+
+      expect(webpacker).to receive(:find_asset).with('some-file').
+        and_return(double(filename: Pathname('/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = webpacker
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('/full/path/to/some-file')
+    end
+  end
+
+  context "when webpack finder returns an object with an absolute http asset path" do
+    it "returns the fully qualified file path" do
+      webpacker = double('WebpackerDouble')
+
+      expect(webpacker).to receive(:find_asset).with('some-file').
+        and_return(double(filename: Pathname('https://my-fancy-domain.test/full/path/to/some-file')))
+
+      InlineSvg.configure do |config|
+        config.asset_finder = webpacker
+      end
+
+      expect(InlineSvg::FindsAssetPaths.by_filename('some-file')).to eq Pathname('https://my-fancy-domain.test/full/path/to/some-file')
+    end
+  end
 end

data/spec/helpers/inline_svg_spec.rb

@@ -46,6 +46,17 @@ describe InlineSvg::ActionView::Helpers do
         expect(output).to be_html_safe
       end
 
+      it "escapes malicious input" do
+        malicious = "--></svg><script>alert(1)</script><svg>.svg"
+        allow(InlineSvg::AssetFile).to receive(:named).
+          with(malicious).
+          and_raise(InlineSvg::AssetFile::FileNotFound.new)
+
+        output = helper.send(helper_method, malicious)
+        expect(output).to eq "<svg><!-- SVG file not found: '--&gt;&lt;/svg&gt;&lt;script&gt;alert(1)&lt;/script&gt;&lt;svg&gt;.svg' --></svg>"
+        expect(output).to be_html_safe
+      end
+
       it "gives a helpful hint when no .svg extension is provided in the filename" do
         allow(InlineSvg::AssetFile).to receive(:named).
           with('missing-file-with-no-extension').

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: inline_svg
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.8.0
 platform: ruby
 authors:
 - James Martin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-17 00:00:00.000000000 Z
+date: 2022-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -130,6 +130,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".github/workflows/integration_test.yml"
+- ".github/workflows/rails_6_webpacker_integration_tests.yaml"
 - ".github/workflows/ruby.yml"
 - ".gitignore"
 - ".rubocop.yml"
@@ -147,6 +148,7 @@ files:
 - lib/inline_svg/finds_asset_paths.rb
 - lib/inline_svg/id_generator.rb
 - lib/inline_svg/io_resource.rb
+- lib/inline_svg/propshaft_asset_finder.rb
 - lib/inline_svg/railtie.rb
 - lib/inline_svg/static_asset_finder.rb
 - lib/inline_svg/transform_pipeline.rb
@@ -215,8 +217,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Embeds an SVG document, inline.